Jump to content
satow

Adobe Serializer (Commercial) Mis-Detected

Recommended Posts

I am using the fully paid version of Immunet.Plus 3.0 on a Windows server 2003 (32 bit) It is my main file and binary server. We have an agreement with Adobe which allows us to install their Master collection suite on various machines using a program called a serializer. This program is valid and was given to us directly from Adobe. This serializer generates the license code and registers the software with Adobe.

 

The problem I am having is that the Quarantine agent keeps quarantining the serializer executable. We know it is legitimate and not a trojan. It detects it as a Clam.Trojan.Agent-260901. I try to put it into the Protection Exclusions list under Settings, but it keeps on quarantining the files. Is there a fix or a way to prevent the quarantining of this file?

 

Thanks,

Bruce

  • Like 2

Share this post


Link to post
Share on other sites

Hi Bruce, You could try and restore the file from Quarantine. Open the GUI > just below History click on Quarantine > find the file in question and click on it and click on Restore. That should automatically put the correct file path in Immunet's Exclusion List and Adobe's serializer should work then. There is a very small chance the file may not restore properly from Quarantine or if there's something else with the program conflicting with Immunet and the file keeps getting quarantined, if that occurs, try manually adding the entire Program Files folder into the Exclusion List, if the software has created a folder in the Program Files directory. Also, before running the executable again, temporarily disable "Monitor Program Install" and "Blocking Mode" in the Settings as well. If you continue to have problems please send a SDT report to support@immunet.com. Submitting a copy of the software or where to download it from with the SDT report might be helpful too. That way it can be manually "whitelisted" on the sever side. How to create and submit a SDT report can be found here. Best regards, ritchie58...

Share this post


Link to post
Share on other sites

Very interesting.... there are a few solutions here:

 

1) As richie pointed out you can add an exclusion for the file. Actually, make sure you exclude the entire the directory that serializer is installed to, not just the serializer binairy itself. This should prevent it and any files it generates from being quarantined.

 

2) You can send the searilizer installer to support@immunet.com and we can have our malware analysts examine it, and whitelist it if it is indeed safe. Check with IT admins before sending us this file though as it may be considered proprietary/company property.

 

3) If 2 is a no go you can contact you're Adobe rep and get them in contact with us, and I'm sure we can find a way to avoid FP'ing on their files.

 

All of the above options will take some time though - probably between two weeks and a couple months.

4) If you are using fireAMP (Immunet's Enterprise solution), you can white list this file immediately (this exactly the type of thing fireAMP was built to handle).

Share this post


Link to post
Share on other sites

Thanks everyone. Yes the add exception from the quarantine works. I found you have to make an exception for the directory AND the binary. Then it works and the serializer binary doesn't get quarantined.

 

I think I understand the logic. If you just make an exception for the directory, if someone puts an infected file inside that directory after it has been excepted, then the file inside might not get quarantined. If you do just the file in the directory, the other files in that directory might be infected. Interesting....

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...